From 5c3c909c8541f26ae09577338d2302bed2a2f3a9 Mon Sep 17 00:00:00 2001
From: Chris <ccbrown112@gmail.com>
Date: Thu, 13 Jul 2017 14:02:33 -0700
Subject: Tweak WebSocket header-processing (#6929)

* fix

* consolidate code
---
 api/websocket_test.go | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'api')

diff --git a/api/websocket_test.go b/api/websocket_test.go
index a65ebc02e..18e1a6426 100644
--- a/api/websocket_test.go
+++ b/api/websocket_test.go
@@ -362,6 +362,15 @@ func TestWebsocketOriginSecurity(t *testing.T) {
 		t.Fatal("Should have errored because Origin contain AllowCorsFrom")
 	}
 
+	// Should fail because non-matching CORS
+	*utils.Cfg.ServiceSettings.AllowCorsFrom = "http://www.good.com"
+	_, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{
+		"Origin": []string{"http://www.good.co"},
+	})
+	if err == nil {
+		t.Fatal("Should have errored because Origin does not match host! SECURITY ISSUE!")
+	}
+
 	*utils.Cfg.ServiceSettings.AllowCorsFrom = ""
 }
 
-- 
cgit v1.2.3-1-g7c22